免费扫描
MEDIUMCVE-2025-12189CVSS 4.3

Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents <= 7.11.1374 - 跨站请求伪造可导致任意文件上传

平台

wordpress

组件

bread-butter

修复版本

7.11.1375

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2025-12189 describes an Arbitrary File Access vulnerability discovered in the Bread & Butter: AI-Powered Lead Intelligence WordPress plugin. This flaw allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. The vulnerability affects versions from 0.0.0 up to and including 7.11.1374, and a fix is available in version 8.0.1398.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

The primary impact of CVE-2025-12189 is the potential for remote code execution (RCE) on WordPress websites utilizing the vulnerable Bread & Butter plugin. An attacker can exploit this vulnerability by crafting a Cross-Site Request Forgery (CSRF) request to upload a malicious file, such as a PHP shell, to the server. Successful upload and execution of this file grants the attacker control over the web server, enabling them to modify website content, steal sensitive data, or even compromise the entire system. The attack requires tricking a site administrator into clicking a malicious link, highlighting the importance of user awareness and robust security practices.

利用背景翻译中…

CVE-2025-12189 was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available, but the vulnerability's nature (CSRF leading to file upload) makes it a likely target for exploitation. The EPSS score is pending evaluation, but the potential for RCE suggests a medium to high probability of exploitation if a suitable exploit is developed and disseminated. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.

哪些人处于风险中翻译中…

Websites running WordPress with the Bread & Butter: AI-Powered Lead Intelligence plugin installed, particularly those with site administrators who are susceptible to social engineering attacks. Shared hosting environments are at increased risk as they often have limited control over plugin updates and security configurations.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r 'uploadImage\(' /var/www/html/wp-content/plugins/bread-and-butter/src/*

• wordpress / composer / npm:

wp plugin list --status=all | grep 'bread-and-butter'

• wordpress / composer / npm:

wp plugin update bread-and-butter --version=8.0.1398

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.03% (10% 百分位)

CISA SSVC

利用情况poc
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件bread-butter
供应商wordfence
影响范围修复版本
0.0.0 – 7.11.13747.11.1375

软件包信息

活跃安装数
30
插件评分
4.7
需要WordPress版本
5.0+
兼容至
7.0
需要PHP版本
7.4+
主页

弱点分类 (CWE)

CWE-352

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-12189 is to immediately upgrade the Bread & Butter plugin to version 8.0.1398 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file upload capabilities within the plugin's settings, if available. Additionally, implement strict CSRF protection measures at the WordPress level, ensuring all sensitive actions require proper nonce validation. Regularly review WordPress plugin permissions and restrict access to sensitive functions. After upgrading, confirm the fix by attempting to upload a test file through the plugin's interface and verifying that the upload is denied or properly validated.

修复方法

更新至 8.0.1398 版本,或更新的修复版本

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-12189 — Arbitrary File Access in Bread & Butter Plugin?

CVE-2025-12189 is a vulnerability in the Bread & Butter WordPress plugin allowing attackers to upload arbitrary files, potentially leading to remote code execution. It affects versions 0.0.0–7.11.1374.

Am I affected by CVE-2025-12189 in Bread & Butter Plugin?

You are affected if your WordPress site uses the Bread & Butter plugin in versions 0.0.0 through 7.11.1374. Upgrade to 8.0.1398 or later to mitigate the risk.

How do I fix CVE-2025-12189 in Bread & Butter Plugin?

Upgrade the Bread & Butter plugin to version 8.0.1398 or later. If immediate upgrade isn't possible, implement temporary CSRF protection measures.

Is CVE-2025-12189 being actively exploited?

While no public exploits are currently known, the vulnerability's nature makes it a likely target for exploitation. Monitor security advisories for updates.

Where can I find the official Bread & Butter advisory for CVE-2025-12189?

Refer to the Bread & Butter plugin's official website or WordPress plugin repository for the latest security advisory and update information.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE